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ABSTRACT 


Thj s report presents candidate designs and their software imple- 
mentation for the Orbital Maneuvering System (OMS) Failure Detection 
and Identification (FDD algorithms in the Redundancy Management (RM) 
module of the Space Shuttle Guidance, Navigation, and Control (GN6C) 
software. The OMS engine FDI algorithm monitors OMS engine thrust 
performance, and the OMS actuator FDI algorithm monitors OMS gimbal 
actuator performance. 

Section 1 describes the software functional requirements of the 
algorithms. It contains a statement of the objective of each algorithm, 
a list of the assumptions which have governed its design, input-output 
requirements, a functional description of the algorithm (including a 
functional block diagram), and input interface requirements. Section 2 
is concerned with the HAL* software formulation of the algorithms. This 
section contains structured flowcharts of the procedures, estimates of 
flight computer core storage and CPU time, and processing requirements. 
Section 3 contains a glossary of the symbols used to define the soft- 
ware requirements and formulation, and the Appendices contain material 
which is supportive in nature to the preceding sections. 


* 


HAL is the language of the Space Shuttle flight computer. 



FOREWORD 


This document details a preliminary baseline design for the 
Orbitar Maneuvering System (OMS) Failure Detection and Identification 
(FDD algorithms. This report is intended to be a comprehensive pre- 
sentation of the material introduced by The Charles Stark Draper 
Laboratory, Inc. SSV Memo 75-10C-43, “Preliminary OMS FDI Algorithm 
Description Report . ” 

This publication describes the design of the OMS FDI software in 
its present state of development. The primary intent of this document 
is to provide a reference for the OMS FDI algorithms incorporated into 
the Redundancy Management (RM) module. It does not specify either the 
structure or the design of the entire RM module, but presents the soft- 
ware functional requirements and software formulation of that portion 
of the RM module which is concerned with OMS FDI. The design of the 
OMS FDI software is continually undergoing revision, and the integra- 
tion of OMS FDI software with the remainder of the RM software is a 
concern to be addressed in the future. Consequently, the material con- 
tained herein should be considered a snapshot of an evolving process. 

The OMS FDI system presented in this report consists of an OMS FDI 
executive, an OMS engine FDI procedure, an OMS actuator FDI procedure, 
and two input interface routines. The OMS FDI executive interrogates 
the status of mode or event flags set by higher-level software, performs 
various initialization actions, and calls the OMS engine and actuator 
FDI procedures and their respective input interface routines. The OMS 
engine and actuator FDI procedures monitor OMS engine thrust performance 
and OMS gimbal actuator performance, respectively, and set failure flags 
which signify the fault status of these OMS components. The function 
of an input interface routine is to restructure RM input data into a 
form acceptable to its corresponding OMS FDI procedure. 

The OMS FDI algorithms have been coded in HAL ana will bo imple- 
mented and tested on the Statement Level Simulator (SLS) which is being 
developed at the Draper Laboratory for the testing of Space Shuttle flight 
programs written in HAL. 
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SECTION 1 

SOFTWARE FUNCTIONAL REQUIREMENTS 


The functional requirements of the Orbital Maneuvering System (OMS) 
Failure Detection and Identification (FDI) algorithms in the Redundancy 
Ma- agement (RM) module are described in this section. The description 
begins with an overview which relates the RM module to the other Guidance, 
Navigation, and Control (GN&C) major functions, and defines its internal 
structure and interfaces only to the extent necessary for a clear under- 
standing of the OMS FDI system. An illustration of the relationship be- 
tween the OMS FDI procedures in the RM module and the Flight Control (FC) 
functions and vehicle systems with which it interacts completes the 
overview. The section continues with a discussion of the functional re- 
quirements of the OMS FDI executive. The OMS engine and actuator FDI 
algorithms are then discussed individually. For each algorithm, its 
objectives, assumptions, input-output requirements, and a functional 
description illustrated by a functional block diagram are presented. 

Also included is a discussion of the functional requirements of each 
algorithm's input interface routine. The functional block diagrams in 
this section relate on a one-for-one basis with the actual HAL procedure 
flowcharts in Section 2. A glossary of the symbols used in this section 
to represent computer variables appears in Section 3. 

1.1 Overview 

The FC module controls the attitude and translation of the Space 
Shuttle Orbiter (SSO) during the on-orbit flight phase by utilizing as 
effectors the Reaction Control System (RCS) and/or Thrust Vector Control 
(TVC) of the OMS. The RCS consists of 38 primary fixed jets (900-pound 
thrust) and 6 vernier fixed jets (25-pound thrust) . The OMS is a pair 
of 6000-pound-thrust rocket engines which can be gimballed independently 
of one another in pitch and yaw by electromechanical gimbal actuators. 

The OMS provides the propulsive thrust for orbit insertion, orbit cir- 
cularization, orbit transfer, rendezvous, and deorbit. The OMS FDI 
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function, however, is contained within the RM module. Figure 1-1 shows 
the relationship of the RM and FC modules to one another, to the other 
GN&C major functions, and to the Space Shuttle sensors, effectors, con- 
trols, and displays. The RM module is scheduled by the Moding, Sequencing, 
and Control (MSC) software via the Flight Computer Operating System (FCOS) . 

The primary OMS FDI processing is accomplished by two procedures; 
the OMS engine FDI procedure, which monitors OMS engine thrust performance, 
and the OMS actuator FDI procedure, which monitors OMS gimbal actuator 
performance. Other OMS FDl-related functions in the RM module are the 
OMS FDI executive and the input interface routines. The internal struc- 
ture and interfaces of the RM module (only insofar as they relate to 
OMS FDI) are shown in Figure 1-2. The OMS FDI executive is responsible 
for scheduling the OMS engine and actuator FDI procedures and the input 
interface routines, whose general function is to translate data supplied 
externally to the RM module into a f<»rm acceptable to the FDI procedure. 

The OMS engine and actuator FDI proceoures may run concurrently. 

The interactions between the OMS FDI procedures, the relevant func- 
tions of the FC module, and other related vehicle components and systems 
are shown in Figure 1-3. OMS TVC steering commands (from the Guidance 
module) drive the OMS TVC Digital Aitopilot (DAP) in the FC module. The 
OMS TVC DAP supplies OMS gimbal deflection commands to the OMS gimbal 
actuator servomechanism.* The actuator output extension causes the 
engine to deflect and the resulting vehicle rotational and translational 
dynamics are sensed by the IMU. The IMU attitude signals are returned to 
the FC module for use in the state estimator and various other submodules 
(not shown) . The roll dis^.urbance acceleration estimate of the FC state 
estimator, the FC-generated OMS engine ON/OFF commands, and IMU velocity 
signals are inputs to the OMS engine FDI procedure in the RM module. 

The FC-gensrated OMS gimbal deflection commands and the OMS actuator 
output extension (senfied by a positicr. transducer) are inputs to the 
OMS actuator FDI proci'dure. Note that in addition to their function 
as crew display failure indicators, the OMS engine failure flags are 
used to automatically reconfigure the FC module. Similarly, the OMS 
actuator failure flags are used by RM to activate redundant actuator 
components . 


* 

Only one OMS gimbal actuator channel is shown here for simplicity. 
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Figure 1-1. Relationship between the RM module and other 
GN&C major functions. 















Figure 1-2. 


Relationship between the QMS FDI executive and the 
OMS FDI procedures within the RM module. 
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Figure 1-3. 


Block diagram relating the OMS FDI procedure to the 
FC module, vehicle dynamics, and the IMU. 


r0?KODUC®U; 

OWGKAb PAGf' 


r OK TUli 
IS P(X)R 


5 














1.2 OJiS FDI Executive 


The OMS FDI executive is that subset of the RH executive which 
performs the following functions: 

(1) OMS engine and actuator FDI procedure calls. 

(2) Input interface routine calls. 

(3) Initialization. 

It should be noted here that at the time of publication of this report 
it is not clear whether the OMS FDI executive will be a separate procedure 
or part of the RM executive. 

The primary task of the OMS FDI executive software is to interrogate 
the status of mode or event flags in order to schedule the OMS FDI pro- 
cedures and the input interface routines during those flight phases for 
which OMS FDI processing is needed. In general, these mode or event 
flags are set or cleared by higher-level software associated with crew 
interface and mission sequencing. For excunple, during normal OMS opera- 
tion, a mode or event flag would be set indicating that an OMS burn is 
in progress, and the OMS FDI executive would begin invoking both the OMS 
engine and actuator FDI procedures and the input interface routines. To 
carry the example further, if an OMS burn and OMS FDI processing are in 
progress and a mode or event flag is set indicating the initiative of 
RCS-assist for attitude control, then the OMS FDI executive would termi- 
nate OMS engine FDI processing (for reasons explained in Section 2.3.3). 

As one final example, if a test of the OMS gimbal actuators were to be 
performed before each OMS burn, a mode or event flag indicating that 
situation would be set, and the OMS FDI executive would begin only OMS 
actuator FDI processing. To summarize, in response to the status of 
various mode or event flags, the OMS FDI executive pei forms calls to the 
FDI procedures and the input interface routines. These calls are per- 
formed in the proper sequence and with the proper frequency such that 
OMS engine and actuator performance are monitored correctly. 

The OMS FDI executive is also responsible for certain initializa- 
tion actions: 

(1) Before the first entry into the OMS engine and actuator FDI 

procedures (i.e., before the first instance of OMS operation), 
the OMS 1 JI executive must ensure that the OMS engine and 
actuator failure flags are initialized to OFF. 
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The OMS FOI executive will also have to reinitialize OMS 
engine or actuator failure flags in response to crew input. 

For example# if an OMS engine or actuator failure flag had been 
turned ON in the past, the crew night decide to override the 
flag either to force the use of a previously failed component 
or because it was thought that a false alarm had occurred. 

(3) The OMS FDI executive is responsible for setting individual 
initialization flags used as inputs to the OMS engine and 
actuator FDI procedures upon first entsry into each of the 
procedures, or upon entry after a period during which a 
procedure was not being scheduled. (The initialization flag 
is set for only one call to the procedure each time and is 
cleared immediately thereafter.) 

The actual software formulation of the OMS FDI executive will de- 
pend upon the general requirements discussed in this section and the 
more specific processing requirements discussed in Sections 2.3.3 
and 2.4.3. 

1.3 OMS Engine FDI 
1.3.1 Objective 

The objective of the OMS engine FDI algorithm is to detect and 
identify off-nominal thrust performance of the two OMS engines. 

Off-failures of one or both engines are detected by comparing 
the actual increment in the added velocity due to OMS thrust over a 
specified time interval to one-engine and two-engine threshold values. 
This velocity increment is derived from IMU-mounted accelerometer data. 
Ignition of either engine (if not commanded) is considered to be an 
o.. -failure, and is detected in the same manner. 

Identi f icatio n , or pinpointing a failure to a specific engine, 
is accomplished by testing the roll disturbance acceleration estimate 
as generated by the on-orbit FC3 state estimator. The roll disturb- 
ances acceleration estimate is essentially the difference between 
the measured acceleration and the predicted (modelled) acceleration. 
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If a failure is detected but not yet identified, a single failure- 
detection flag will be activated. Identified failures, on the other hand, 
cause individual failure flags, one for each engine, to be activated. 

1.3.2 Assumptions 

The following assumptions apply to the OMS engine FDI algorithm: 

(1) The OMS engine FDI algorithm is capable of detecting and 
identifying hard failures only; i.e., full-off or full-on 
failures. 

(a) A full-off failure is defined as the case in which an 
engine is providing essentially zero thrust when com- 
manded ON. 

(h) A full-on failure is defined as the case in which an 
engine is providing essentially full thrust when com- 
manded OFF. 

(2) The OMS engine FDI algorithm is capable of detecting and 
identifying single engine failures and failures of both 
engines whether simultane >us or sequential. 

(3) The nominal operational alignment of the OMS engines is such 
that the OMS thrust vectors are parallel and point in a direc- 
tion which results in zero net torque on the vehicle. (For 
this alignment, the thrust vectors will be in or near the 
vehicle XZ plane.) 

(4) OMS engine FDI processing is inhibited during RCS jet firings. 

1.3.3 Input-Output Requirements 

The inputs to the OMS engine FDI procedure are: 


(1) 

The IMU measured added velocity since the 
OMS burn. 

beginning 

of the 

(2) 

The roll disturbance acceleration estimate 
FC state estimator. 

from the 

on-orbit 

(3) 

The OMS engine ON/OFF commands. 



(4) 

An initialization flag. 
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The outputs of the OMS engine PDl procedure are: 

(1) An OMS detect flag which indicates that an OMS engine failure 
has been detected . 

(2) Two OMS failure flags which indicate that an OMS engine 
failure has been identified . 

Table 1-1 lists these parameters. Included for each variable or 
constant are its computer and mathematical notation, description, units, 
value or range, and sampling rate. 


Table 1-1. Input-output requirements for OMS ENGINE FDl. 



Name of Variable or Constant 




Sample 

Cateqory 

Computer 

Notation 

Mathematical 

Notation 

Description of 
Variable or Constant 

Units 

Value of 
Range 

Rate 

(words/s) 

Inputs 

ACCim_ 

DELTA_V 

V 

—a 

Added velocity due to 
OMS thrust 

ft/s 

0£x<3.0 

25 


ROLL_DISTORB 

ACCEL 

r 

Roll disturbance 
acceleration 
estimate 

deg/s 

-2.0<^x 

<2.0 

25 


0MS1_0N CMD 

OMSICMJMD 

OMS Eiigine 1 ON/OFF 
command 

None 

0,1 

25 


OMS2_ON_CMD 

C»!S2_ON_CMD 

OMS Engine 2 0 /OFF 
command 

None 

0.1 

■>5 


OMSE INIT 
FLAG 

OMSE INIT 
FLAG 

Initialization flag 

None 

0.1 

1 

Outputs 

0MS1_FAIL 

OMSl_FAIL 

OMS Engine 1 failure 
flag 

None 

0 1 

25 


0MS2_FAIL 

0MS2_FAIL 

OHS Engine 2 failure 
flag 

None 

0,1 

25 


0HS_FA1L_ 

DETECT 

OMS_FAII,_ 

DETECT 

OMS engine failure 
detection flag 

None 

0,1 

25 
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1.3.4 Functional Description 

The logic for activating the three failure flags which can be set 
for off-nominal performance of the OHS engines is shown in Figure 1-4. 

Note that the OMS engine FDI procedure makes two basic tests 
(explained in the following) during its cycle. The procedure is called 
once tier : acond, and the variables involved in the tests are: 

(1) The computed increment in the added velocity due to OHS thrust 
which has occurred (as sensed by IHU-mounted accelerometers) 
over the l-second interval since the last call. 

(2) The roll disturbance acceleration estimate from the FC state 
estimator . 

omparing the actual sensed increment in added velocity with 
threshold values for one and two engines, the number of engines 
that are truly firing is determined. By inspecting the roll disturb- 
ance acceleration estimate a failure of either engine, if one has 
occurred, can be identified. In the case of a failure, the failure flag 
for Engine 1, 0HS1_FAIL, or for Engine 2, 0HS2_FAIL, will be activated 
if the roll disturbance acceleration estimate is outside a deadzone. 

The sivn of the roll disturbance acceleration estimate determines which 
engine has failed. If Engine 1 is firing, the roll disturbance accelera- 
tion i£ always negative, and if Engine 2 is firing, the roll disturbance 
acceler ition is always positive, provided that the disturbance is caused 
by a failure of a single engine during a two-engine burn or when neither 
engine ic conananded (Assumption 3 in Section 1.3.2 ensures that 

there will be a disturbance acceleration.) 

If the roll disturbance acceleration estimate is inside the dead- 
zone, either the failed engine cannot be identified, or there has been 
no failure (i.e., single-engine burn). However, the third flag, OHS_ 
FAIL DETECT w; 11 be activct^d if both engines have the same ON/OPF com- 
mand (i.e., not a sing: i-engine burn). 

Latching fea. .res are incorporated in the logic so that a failure 
flag is not cleared if it were set during any previous cycle. That is, 
a failure f’ng which had been previously set to ON will not be reset to 
OFF when ( 'le engine command for that failed engine is reset to OFF. 
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when two engines are firing, the failure flags will be set to OFF 
as long as both engines have been coirananded to fire. However, if it is 
determined that two engines are firing, but only one engine has been 
commanded to fire, then the failure flag of the engine not commanded to 
fire will be set to ON. 

Similarly, when one engine is firing, a failure flag will not be 
activated as long as the commanded engine is firing. It it is deter- 
mined that one engine is firing and the roll disturbance test indicates 
that the wrong engine is firing, the appropriate failure flag will be 
set to ON. 

Note that since the OMS_FAIL_DETECT flag is activated by an 
exclusive-or function in the single-engine-firing case (with no appre- 
ciable roll disturbance) , it will be set to ON only if both engines have 
the same firing commands. That is, the flag will come ON i,. either both 
engine commands are ON or both engine commands are OFF. Those two 
possible combinations of commands in conjunction with thrust from only 
a single engine imply a failure. 

Possible combinations of failure flags generated by the ONS_ENGINE 
FDI procedure for the cases of two, one, or zero engines firing are dis- 
cussed further and illustrated in Section A. 3 of the Appendix. 

1.3.5 QMS Engine FDI Input Interface Routine 

The OMS engine FDI input interface routine accepts IMU accelerom- 
eter data rrom the Subsystem Operating Programs (SOP) and derives 
from that data the velocity added to the vehicle due to OMS thrust 
since the beginning of the current OMS burn. 

Essentially, this input interface routine reformats SOP velocity 
information into the quantity, v^, specified in the input-output require 
ments of the OMS engine FDI procedure given in Section 1.3.3. 

1.4 OMS Actuator FDI 
1.4.1 Objective 

The objective of the OMS actuator FDI algorithm is to detect and 
identify off-nominal performance of the pitch and yaw gimbal actuators 
of the two OMS engines. Since inputs for performance monitoring of the 
four actuators are made available and processed separately for each 
actuator, the failure detection and identification problem redacos to 
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one of detection only. Failures are detected by testing the increment 
in the measured gimbal deflection over a specified interval of time if, 
during that time, the actuator is commanded to deflect the engine gimbal 
continuously in the same direction, and the gimbal is not driven to a 
stop. Two successive failure indications are necessary before an OMS 
actuator failure flag is set. 

The four OMS actuator failure flags are monitored for activation 
of redundant actuator channels and for display to the crew. 

1.4.2 Assumptions 

The following assumptions apply to the OMS actuator FDl algorithm: 

(1) The OMS actuator FDI algorithm is capable of detecting and 
identifying full-off failures only. 

(2) An unfailed OMS actuator achieves a steady-state nominal 
extension rate within two minor cycles (80 ms) in response 
to an applied voltage. 

(3) The accuracy of the OMS actuator output position transducer 
is sufficient to permit the use of gimbal deflection incre- 
ments over six minor cycles (240 ms) to detect full-off 
failures with zero probability of a false alarm. 

(4) The OMS actuator FDI algorithm is not capable of detecting 
failures downstream of the actuator output, i.e., in the 
gimbal mounting structure. 

1.4.3 Input-Output Requirements 

The inputs to the OMS actuator FDI procedure are: 

(1) The OMS gimbal deflection commanded for each actuator from 
the Thrust Vector Control (TVC) DAP in the FC module. 

(2) The OMS gimbal deflection for each actuator as measured by 
the actuator output position transducer, a linear voltage 
differential transformer.* 

(3) A procedure call counter. 

(4) An initialization flag. 


* 

The actuator extension length (measured from null), rather than the 
OMS gimbal angle itself, is the sensed quantity. 
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The outputs of the OMS actuator procedure are: 


(1) Four OMS actuator failure flags. 

(2) Four OMS actuator extension indicators, which signify whether 
each actuator is being commanded to extend, retract, or re- 
main stationary. 

Table 1-2 lists these parameters. Included for each variable or 
constant are its con^uter and mathematical notation, description, units, 
value or range, and sampling rate. 


Table 1-2. Input-output requirements for OMS ACTUATOR FDI. 



1 Name of variable or Constant 




Sample 

Category 

Computer 

Notation 

Mathematical 

Notation 

Description of 
Variable or Constant 

Units 

Value of 
Range 

Rate 

(Mords/s) 

Inputs 

[OMSjGIMBALl 

n 

Array of measured OHS 
gimbal deflections 

deg 

-8.0<x<B.C 

25 


IOMS_GIMBAL_ 

CMDl 


Array of commanded OHS 
gimba] deflect 

deg 

-8. Dot <8.0 

25 


OMSA_CALL 

COUNTER 

OMSA_CALL 

COUNTER 

Procedure . »ll counter 

None 


1 


OMSA_INIT_ 

FLAG 

OMSA_INIT_ 

FLAG 

Initialization flag 

None 


1 

Outpur ■ 

(OFS_ 

.''TUATOR_ 

FAILI 

(F] 

Array of OMS actuator 
failure flags 

None 

0.1 

25 


[OMS_ 

ACTUATOR 

EXTEND] 

(El 

Array of OHS actuator 
extension indicators 

None 

-1,0,1 

1 
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1.4.4 Functional Description 

Each of the OMS engines is equipped with two gimbal actuators which 
are used to control nozzle deflections in pitch and yaw. The pitch and 
yaw actuators are identical in design except for the stroke length « and 
contain redundant channels which couple to a common drive assembly. 

The OMS gimbal actuator servo loop is described in more detail in 
References 2, 3, 4, and 5. However, familiarity with its operation will 
aid in understanding the OMS actuator FDI procedure. Figure 1-5 is a 
simplified block diagram of an OMS gimbal actuator servo loop. The 
gimbal deflection command is differenced with the measured gimbal deflec- 
tion to obtain the gimbal deflection error. The deflection error is 
then supplied to a servo amplifier which is a bang-bang amplifier with 
deadzone and hysteresis. The output of the servo amplifier is the 
actuator input voltage which drives the actuator motor. The output of 
the actuator motor is the actuator extension measured from null. A 
Linear Voltage Differential Transformer (LVDT) position transducer 
senses the actuator output extension and converts it to the measured 
gimbal deflection. The actual gimbal deflection is the outout of the 
OMS gimbal mounting structure dynamics, while the measured gimbal deflec- 
tion is inferred from the actuator output extension. 

If the gimbal deflection error is outside the servo amplifier 
deadzone, the actuator is being commanded to extend or retract. If the 
gimbal deflection error is within the servo amplifier deadzone, the 
actuator may or may not be commanded to extend or retract depending 
upon the past history of the gimbal deflection error. For purposes of 
OMS actuator failure detection, the actuator is assumed to be continuously 
extending or retracting only if the gimbal deflection error remains out- 
side the servo amplifier deadzone. 

The OMS actuator FDI algorithm determines whether an actuator has 
failed by testing the increment in the measured gimbal deflection which 
occurs over six minor cycles, if the actuator is being commanded to ex- 
tend or retract continuously for that period (according to the definition 
given immediately above) , and if the engine gimbal is not driven to a 
stop. The OMS actuator FDI procedure is called at least once every 
second. It may be called on eight successive minor cycles after the 
first pass, depending upon the results of the first and subsequent 
passes. The "procedure call counter" input indicates to the procedure 
which of the nine possible passes is occurring. The "actuator extension 
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Figure 1-5. Simplified block diagram of an OMS gimbal actuator 
servo loop. 
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indicator" outputs are used by the OMS FDI executive to determine whether 
the next call should be executed. An explanation of what occurs on each 
pass is given in Sections 1.4. 4.1 through 1.4. 4. 5. 

1 . 4 . 4 . 1 First Pas s 

Once per second a first call is made to the procedure. Figure 1-6 
is a functional block diagram of this first pass, and illustrates actua- 
tor FDI actions at this point of the procedure. Note that the actuator 
extension indication, is established on this pass. Note also that 

the actuator failure flag, F, does not change status. 

On this pass, and on all subsequent passes, the gimbal deflection 
error of each actuator is computed and checked as shown in Figure 1-7. 

The extension indicator for each actuator is set to -1, 0, or H, accord- 
ing to whether that actuator is being commanded to retract, remain sta- 
tionary, or extend, respectively. Also, the extension indicator is set 
to zero to inhibit gimbal deflection increment threshold testing if the 
measured gimbal deflection indicates that the engine gimbal is at a stop. 
The failure counter is set to zero only if the gimbal deflection error 
is within the servo amplifier deadzone. 
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Figure 1-6. Functional block diagram of the first pass 
of OMS ACTUATOR FF . 
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Figure 1-7. Functional block diagram of the computation of 
E and C within OMS_ACTUATOR_FDI . 

1 . 4 . 4 . 2 Second Pass 

One minor cycle (40 ms) after the first call, the second call is 
made by the OMS FDI executive if any actuator extension indicator output 
from the previous pass is nonzero. On this pass, the gimbal deflection 
error and extension indicator are recomputed for those actuators which 
had a nonzero extension in<? ' cator output from the first pass. If the 
second-pass value differs from the first-pass value, the extension indi- 
cator and the fc ■ lure counter are set to zero. The actuator failure 
flag does not change status. 

These actions are illustrated in Figure 1-8, and are identical to 
those occurring during the fourth through eighth passes. 

1.4.4. 3 Third Pass 

One minor cycle after the second call, the third call i& made by 
the executive procedure if any actuator extension indicator output from 
the previous pass is still nonzero. On this pass, th«, gimbal deflei. ..on 
error and extension indicator are computed for those actuatcis which had 
a nonzero extension indicator output from the second pass. 
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Figure 1-8. Functional block diagram of the second and fourth 
through eighth passes of OMS_ACTUATOR_FDI . * 


Note from Figure 1-9 that if the third-pass value of the extension 
indicator is equal to the first-pass value, the r^esc-tit measured gimbal 
deflection is saved as Otherwise, the extension indi -rator and • 

failure counter are set to zero. 

The actuator failure flag does not change status. 

1.4. 4. 4 Fourth through Eighth Passes 

These passes perform > same operations as the secon> pass. 

1.4. 4. 5 Ninth Pass 

One minor cycle after the eighth call, the ninth call is mad^ by 
the OMP FDI executive if any actuator extension indicator output 'cm 
the previous pass is still nonzero. On this pass, the gimbal deflection 
error and extension indicator are recomputed for those actuators which 
had a nonzero extension indicator output from the eighth pass. 


RKfKODUCj 1 






Figure 1-9. Functional block diagram of the third pass of 
OMS_ACTOATOR_FDI . * 

Refer to Figure 1-10. If tha ninth-pass value of the extension 
indicator differs from the firsc-pass value, the extension indicator 
and the failure counter are sat to zero. If the ninth-pass value is 
the same as the fxrst-pass value and the product of the extension indi- 
cator and giiiiba^ deflection increment is less than a threshold value, 
the failure counter will be incretaented by one; otherwise the failure 
counter is set to zero. The actuator failure flag, P, is set to ON 
if the failure counter has reached t%#o. 

The primary functions of each pass can be summarized on a time 
scale (see Figure )-ll). 

The OKS actuator roi algorithm waits two minor cycles (80 ms) 
after the first call before recording the first measured gimbal deflec- 
tion because an unfailsd OMS actuator requires a finite time to achieve 
a steady-state nominal extension rate in response to an applied voltage. 
Results published in References 2 and 5 and also unpublished results 
(b> M. A. O'Amario) of simulated OKS actuator behavior indicate that 
it requires less than 4u ns (one minor cycle) for an OMS actuator to 
achieve a steady-state nominal deflection rate starting from a rest initial 
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condition. Farther, it requires bet%»een 40 ns <one minor cycle) and 
80 08 (two minor cycles) if, as an initial condition, the actuator is 
extending at a steady-state rate in a direction opposite to the sense 
of the applied voltage 

The Olfi actuator FDI algoritlw waits six sdnor cycles (240 ms) 
after recording the first measured girabal deflection before recording 
the second measurement and testing the computed increment, so that the 
error in the measured increment relative to the nominal size of the in- 
crement is low enough that: 

(1) An actuator tdiich has experienced a full-off failure ar,d is 
not moving has zero ptot>ability of passing the tlireshold test. 

(2) An actuator which is performing nominally has zero probability 
of failing the threshold test. 

The accuracy of the computed ginbal deflection increstent is directly de- 
pendent on the accuracy of the OMS actuator position transducer. The ef- 
fects of OMS actuator position transducer acxniracy on FDX CPt* time and the 
,iu8tification for waiting six minor cycles is discussed in Section 2.4.2. 

In summary, if any QMS actuator is being consmnded to extend or 
retract continuously (as previously defined in this section) for eight 
minor cycles, and if the engine gisbal is not driven to a stop, then the 
counted increment in the measured gisdtMl deflection over the last six 
cycles is coapared to a threshold value to test actuator perfonmmce. 

Two successive failure indications (one second apart) are necessary 
before an actuator failure flag is set to ON. If the gimbai deflection 
error of any actuator is inside the deadzone on the first pass cr ijtoves 
into or through tn^ deadzone after the first pass, cr if the cngir,*.' ginft>al 
is indicated to be at a stop on any pass, then no gimbal deflection in- 
c ement threshold test is performed during that second. 

One of the assumptions in Section 1.4.2 was that the OMS actuator 
FDI algorithm is capable of detecting full-off failures only. Full-on 
failures will also be detected, but not directly. That is, the test per- 
formed or the measured gindaal deflection increment determires only whether 
the gimbal has deflected far enough, not whether it ha& deflected too far. 
For instance, if a full-on extension failure occurs, the gimbal a-^uator 
serve ir>p will eventually sense that the gimbal has extended too far and 
will command i. to retract. At this point, a test under commanded re- 
traction will be performed and failed. In other woids, a fnll-on failure 
in gimbal extension becomes a full-off failure in gimbal retraction 
through the actions o£ the gimbal actuator servo loop. 
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1.4.5 QMS Actuator FDI Input Interface Routine 

The OHS actuator FDI input interface routine accepts coaaanded 
OHS giiriMil deflections fron the FC TVC OAF and neasured OHS giidial deflec- 
tions froai the SOP. The measured OIS giabal deflections are obtained 
from the OHS actuator output position transducer. 

The cosnanded 016 ginbal deflections are provided by the (MS TVC 
DAP as two 2 -dimensional arrays containing the pitch and yaw deflection 
comands for eadi engine. The actuator FDI input interface routine 
refonnts the giidtal deflection commands into one 4-dimeneional array* 
as specified in the input-output requirements in Section 1.4.3. 

In addition* this input interface routine formats the seasured OHS 
giabal deflections into one 4-dimensional array* as specified also in 
Section 1.4.3. 
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SECTION 2 


SOFTWARE FORHULATION 


The software formulation of the QMS PDI algo’* ' thms is described 
in this section. A structured flowchart, estimates of fli^t computer 
core storage and CPP time, and processing requirements are presented 
for the OHS enqine and actuator FDI procedures. A glossary of the 
sysdbols used in this section appears in Section 3. 

2.1 Overview 

2.2 QMS FDI Executive 

The software of the OHS FDI executive has not yet been formulated. 
The ONS FDI executive may be a separate procedure, or it may be simply 
part of the larger RM executive. The actual software formulations, must 
satisfy the general functional requirements given in Section 1.2 and the 
more specific processing requirements discussed in Sections 2.3.3 
and 2.4.3. 


2.3 QMS Engine FDI 

2.3.1 OMS_ENGINE_FDI ; PROCEDURE 

A structural flowchart for HAL procedure OMS_ENGINE_FDI is shown 
in Figure 2-1. A functional description of the operations illustrated 
in Figure 2-1 is given in Section 1.3.4. 

Definitions of the computer variables and constants are given in 
the glossary in Section 3. Estimates of flight computer core storage 
and maximum possible CPU time derived from HAL-FC compilations are given 
in Section 2.3.2. 
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Figure 2-1. Structured automatic flowchart of 0MS_BN6XNE_PDI (sheet 1 of 5) 
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Figure 2-1, Structured automatic flowchart of OMS ENGINE FDI (sheet 2 of 5) . 
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Figure 2-1. Structured automatic flowchart of OMS ENGINE PDI (sheet 4 of 5) 
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2.3.2 Plight Computer Core Storage and CPU Tima 

The following OHS engine FDI algorithm data is derived from HAL-PC 
eoiBpilationst 

Plight Computer Core Storage: 

Data 11 words 

Procedure = 70 words 

Total - SI words 

Plight Coo^uter CPU Time; 0.341 ms/s (0.034%) 

Core storage requirements are confuted by the HAL conqpiler and 
printed out as part of the con^ilation, while the CPU time is an estimate 
of the maximum possible time required to execute all the computations of 
the procedure. 

The maximum time estimate is based on combining the CPU times for 
each statement in the longest possible path (timewise) through the 
procedure's logic. The CPU times for each statement are also confuted 
as part of the compilation. 

2.3.3 Processing Requirements 

The procedure 0HS_ENGINE_PDX is normally called once per second 
during an OHS burn. It may also be called prior to and after an OHS 
bum for on-failure detection. There are three situations, however, in 
which OHS engine FDI processing should be inhibited: 

(1) During OHS thrust buildup immediately after commanded engine 
ignition. 

(2) During OHS thrust tailoff immediately after commanded engine 
shutdown . 

(3) During RCS DAP operation. 

With respect to the first two situations, the problem is that 
tnrust buildup and tailoff are not modeled in the computation of the 
increment in the added velocity due to OHS thrust. Because the procedure 
is designed to detect and identify full-off or full-on failures only, it 
implicitly assumes that the thrust from an OHS engine is either at the 
nominal design level or at zero. Thus, for exeunple, during thrust build- 
up in a two-engine burn, it might appear to the OHS engine FDI procedure 
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that the velocity increment over the last second indicates that only one 
engine is firing. This incorrect indication would cause a false alarm. 
Therefore* the procedure 0MS_BNGINB_FDI should not be called during a 
1-second Interval Immediately after commanded engine ignition or shut- 
down. The l-second Interval, which allows for thrust buildup or tailoff, 
is based on OHS data in Reference 3. 

The third situation occurs whenever the RCS DAP is operating, thus 
causing RCS jets to fire. In the event of RCS jet firings, the incre- 
ment in the added velocity due to OHS thrust, which is computed directly 
fram IHO-mounted accelerometei Information, would mistakenly contain con- 
tributions from RCS jet thrust also. The incorrect velocity increment 
could cause an incorrect determination of the number of engines which 
are firing, thus leading to misalarms or false alarms. This third situa- 
tion, in which there is a conflict between RCS DAP operation and desired 
OHS engine FDI processing, can be identified for several flight control 
modes : 

(1) RCS attitude-hold prior to OHS ignition (prevents pre-burn 

OHS on- failure detection) . 

(2) RCS attitude-hold after an OMS burn (prevents post-burn QMS 

on- failure detection) . 

(3) General RCS-assist for attitude control immediately after a 

single OHS failure during a two-engine burn (prevents FDI 

* 

on the remaining good engine) . 

(4) Roll-only RCS-assist during single-engine OMS operation: 

(a) For the remainder of a two-engine burn after a single 
failure. 

(b) For a single-engine burn (prevents FDI during single- 
engine operation) . 

The OMS engine FDI procedure should not be called during RCS DAP opera- 
tion in any of these four situatir^.s. 

Two gualificaticns of these statements should be noted here. The 
first involves the specific restrictions on OMS engine FDI processing 
given in it«ms (1), (2), and (4). It may be possible to adjust the- 
velocity increment thresholds (i.e., provide enough margin) to allow 
OMS engine FDI processing during these flight control modes. The 


The RCS DAP is not activated until a failure has been identified. 
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reasons are that during RCS attitude-hold and roll-only RCS-asslst, 
the frequency and duration of RCS jet firings, relative to the l-second 
Interval over which the velocity Increment Is calculated, are such that 
the AV contribution due to RCS jet firings should be small relative to 
that of an OHS engine. Also, the candidate jets for use In roll-only 
RCS operation (Item (4)) are limited. The direction and magnitude _ 
their thrust Is known, and If their AV contribution Is small enough. 

It may be Ignored. Further analysis and simulation results will resolve 
the question of the need for the restriction listed In Items (1), (2), 
and (4). 

The second qualification Involves the restriction o£ Items (1) 
through (4) In genera.' . If the RCS DAP would compute on a periodic 
basis the expected AV due to RCS jet firings, then OHS engine FDI pro- 
cessing could continue in any situation of RCS DAP operation. The rea- 
son is that tl.i.* AV contribution of RCS jet firings could then be sub- 
tracted from the IHU-derived velocity Increment in order to obtain the 
contribution from QMS thrust only. This computation could be performed 
In either the FC or RM module. 

2.4 QMS Actuator FDI 

2.4.1 OMS_ACTUATOR_FDI: PROCEDURE 

A Structured flowchart for HAL procedure 0.i3_ACTUAT0R_FDI is shown 
in Figure 2-2. A functional description of the operations illustrated In 
the Figure 2-2 Is given In Section 1.4.4. 

Definitions of the computer variables and constamts are given in 
the glossary In Section 3. Estimates of flight computer core storage 
and maximum possible CPU time derived from HAL-FC compilations are 
given in Section 2.4.2. 

2.4.2 Flight Computer Core Storage and CPU Time 

The following OMS actuator FDI algorithm data are derived from 
HAL-FC compilations. 

Flight Computer Core Storage: 

Data “ 21 words 

Procedure - 83 words 

Total “ 104 words 

Flight Computer CPU Time “ 7.665 ms/s (0.767%) 


32 



Ul 


M 


" CBS.AClUIO&.fOX: ■ 

m 

» EBCCEOOBEi » 


MVmtMIIMMIMIIIIINVIlHIVIMMiaiMllfffMNItlfllCHIiniMI 

•■BLOCK SOBBKBX ” 

It n 

COHCOOL VKBIBBLES OSBO: " 

■ CECLKBEO IB CCBEOOL FDIPOCL: " 

■ OaS KCIOKIOfi BETBKO ” 

" OaS_AC10KICB_BXTBBD« " 

■ OBS KCTOATOB FAIL* " 

" CBS GIEBAL " 

■ OBS 6IBBAL CBO " 

■ OBSA.CALL CCOBTBB ■ 

■ OBSA.lRir.FLAG ■ 

RliMiiniiiMiM* paminnii HMMHlHlMHnMMMN NnHanp 


lECtABE ACIOATOA.f AlL.CCDBlsA AaAAi |A> IBIEGEB S1H6LE SIATIC, 
CBS.SEAVC.ABF.LEACEABL ECALAE S1B6LE COBSTABT (7) , 

I lEtEGlE SIBGLL AOICBAllC, 

CLC.CBS.GJBBAL AAAAI(lt) SCAIAB SIBGLE dXATIC, 
OBS_GlBbAL_lBCb_IUiaSHC< L SCALAB SIBGLE COBSTABT (1 1 ) , 
OBS.GIBBAL.STCF AEsAI |«) SCALAE SIBGLE COBSTABT (7. B, 7. 8), 
CLt.CaS.ACTUAlOE.EXlEBL ABBAX (A) IBIEGEB SINGLE STATIC, 
OBS.GIBBAL.EEEOE ABBAI 14) SCAIAE SINGLE AOT.'BATIC; 


I 

I 

I 


IP CBSA.IBIT.FLAG = C« • 


THEN •••••*•••••••••••••••••••••••••• 

♦ • (ACIUATOB_FAIL_COOBTEE] = 0; * 

I •••«••*••••••••••••«•*•••••«•••• 

I 


I 

I ELSE 

• PC FOB I = 1 TO «S • 


•••••«* 
'• 2 • 


Figure 2-2 


Structured automatic flowchart of OMS ACTUATOR FDI (sheet 1 of 7) 
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flowchart of OMS ACTUATOR FDX (sheet 2 of 7) 
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Figure 2-2. Structured automatic flowchart of OHS__ACTUATOR PDl (sheet 3 of 7). 
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automatic flowchart of OMS ACTUATOR FDI (sheat 5 of 7) 
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Figure 2-2 


Structured automatic flowchart of OMS ACTUATOR FDI ( sheet 6 of 7) 
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Figure 2-2. 


Structured automatic flowchart of OMS ACTUATOR FOX (sheet 7 of 7) 



Core storage requirei^nte are computed by the HAL coiqailer and 
printed out as part of the compilation* while the CPU time is an esti- 
mate of the maximum possible tine required to execute all the cooputa- 
ti(»i8 of the procedure. 

The maximum time estimate is based on combining the CPU times for 
each statanent in the longest possible path (timewise) through the 
procedure's logic. The CPU times for each statement are also cos^uted 
as part of the compilation. 

The maximum possible actuator FDI CPU time as summarised above 
can be reduced if the OHS actuator position transducer accuracy speci- 
fication is upgraded. The method of determining the effect of position 
transducer accuracy on QMS actuator FOX CPU time is described in detail 
in Section 4.4 and in Refer^ce 6. Only the results will be presented 
here. 

According to the accuracy specification stated in Reference 7* the 
accuracy is tQ.l volt for a transducer scale factor of 2.0 volts per inch, 
or to. 05 inch of actuator extension, which translates to iO.157** of 
girabal deflection. The OHS actuator FDI algorithm described herein has 
been designed with such an accuracy constraint, and it requires wait- 
ing six minor cycles to conpute a measured gimbal deflection. If the po- 
sition transducer accuracy can be upgraded to ±0.019 volt with the same 
scale factor, thus yielding ±0.0095 inch or ±0.03°, the actuator FDI 
algorithm can be modified to wait only one minor cycle, and the maximum 
possible CPU time can be reduced to 3.476 ms/s or 0.348%. This is a 
decrease in CPU time of a factor of about 2.2 for an increase in posi- 
tion transducer accuracy of about 5. For an earlier version of the 
OHS actuator FDI algorithm (evaluated in Reference 6) , the decrease in 
CPU time was about a factor of 2.5. 

2.4.3 Processing Requirements 

The first call to the procedure OMS_ACTUATOR_FDI is made once per 
second during OHS gimbal actuator operation. Each subsequent call to 
the procedure, at intervals of one minor cycle (40 ms) , is performed 
by the OHS FDI executive only if at least one of the four actuator 
extension indicator outputs from the previous call is nonzero. Nine 
calls would be necessary during any 1-second interval for a complete 
actuator performance test. 


40 



SECTION 3 


GLOSSARY 


This section is a glossary of the constants and variables used 
in this document. (See Table 3-1 for the OMS engine FDI constants and 
variables and Table 3-2 for the OMS actuator FDI constants and vari- 
ables.) Included for each variable and constant are its name, type/ 
attribute, description, units, and value or range. The modules where 
the constant or variable is declared, assigned, and referenced are 
also given. Codes and definitions of the symbols used in the type/ 
attribute designation appear in Table 3-3. 
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Teible 3-1. OMS engine FDI glossary 




1 Nan» of Variable or Constant 








Cooputar 

Notation 

Hathsoatieal 

Rotation 

Typ*/ 

Attribute 

Osooriptioa 

emits 

Value or 
Range 

Declared in 

Asalgnod in 

Referenced in 

ROtX^AXSn0B_ 

AOCSL 

r 

Sc/SP 

Boll disturbance accel- 
eration estiaate 


-2.0£X<2.0 

COBffOOL 

PARTl^PZLTBR 

ONB_BNGXHB_PDI 

R01iJ^CCBL_ 

THS8880LD 


Sc/SPpC 

Roll acceleration 
threshold 

dag/a^ 

TBO' 

0M8_BNGDI8^P0Z 

OHS^BNCtOB^FDX 

0HSJBHSXN8_PDX 

CMBIJONJCMD 

aH81J3R_CMD 

V- 

0«6 EnBine 1 GN/OPP 
ecanand 

nons 

0,1 

OOWOOL 

O&BBG JMD 

OMBJBMaHB_PI»I 

0HS2J3N_CKD 

OMS2_Jn_CM) 

B/- 

OHS Engine 2 OB/OrP 
cuQsund 

none 

0.1 

0019001. 

GMB_GHajCHD 

0H8_,BBSXNB_FDX 

AOCaMJSt.IA_ 

v_wo* 

|4V^I 

Sc/SP.* 

lacreoent in ttie added 
velocity due to (MS 
thrust 

ft/a 

0^<3.0 

OHB_BHCTNB_PDX 

ONSJWSXHB.PDX 

0MS_ra6ZHB_P0Z 

ORS roqTffi 

THBgSHPLD 

&v 

*1 

Sc/SP pC 

One-engine velocity 
incraaeot threshold 

ft/s 

TBO 

0H8_BNGXtS_F0Z 

MJ»GXIIB_PDX 

0NS_BBSXMB_PDX 

1W0JZNCINB_ 

THBESHKJ) 

Av 

“2 

8c/SP«C 

•engine velocity 
incrottot threshold 

fe/a 

T8D 

aHS_BHGZNB_PDX 

QMSJBIOXBB^PDX 

OHB_ENaXSB_FDI 

0HB1_F%ZL 

OMSIJPML 

B/- 

CMS Engine 1 failure flag 

none 

0.1 

GOIffOtt. 

OMBJtBCTNB^PDI 

OHS PDX Bseeutive 

Om2 PUE. 

ONSfjPAXZ. 

a/- 

om Engine 2 failure flag 

none 

0.1 

O0I9OQI. 

OHBjaiaXMB_FDX 

ONB PDI Bseeutive 

0«SE_II«T_ 

FLAG 

o#OB_iNrr_ 

PLUG 

8/- 

Initialisation flag 

none 

0.1 

OOWOOL 

OHB PDX 
Bseeutive 

OHB^BBOXHB^PDX 

AOCON_ 

OBLISIJP 

V 

-a 

V(2)/BP 

Added velocity due to 
OHS thrust 

ft/s 

-1000«^1000 

oomoL 

Baedwre/SOP/ 
OHB Batina POt 
HR 

OMB_BBal«_POt 

. 02D_accaH_ 
oemjr 

"“ou. 

V(3)/SPp 

St 

last valoa of addad 
velocity dua to OHB 
thtoat 

ft/8 

-lOOOoKlOOO 

0HS_BR6XNB_PDX 

csajBKxmjDt 

OttB^HMXS8_POX 














Table 3-2. OMS actuator FDI glossary 


N«ae of Varl*iol« or Conat«nt 








Conputer 

Notation 

HathoMtical 

Notation 

Type/ 

Attribute 

Description 

Units 

Value or 
Range 

Deriared in 

Aasigned in 

Referenced in 

(OMS__GJMBAL] 

'V 

A(4)«Sc/Sf 

Array ot OHS piabal 
deflections 

deg 

-e.cKxie.o 

C0S9OOL 

Hardware/SOP/ 
OMf Actuator 
FDI IXR 

OMS_ACrUATOR_PDZ 

kOLOjDHS_ 

CI«ALI 

<«» > 
OLD 

A (41, Sc/ 

SP.St 

Array of values of Ma- 
tured OMS 9iab«i deflec- 
tions 

deg 

-a.CKx^e.o 

OHS_ACTUATOR_ 

PDI 

OMS_ACTUATOR_ 

POX 

OeSJiCTUATOR^PDI 

CMDI 

"c' 

A(41,Se/ 

SP 

Array of ccosanJed OMS 
gioCial deflections 

deg 

-8.<Kx<^S,0 

COMPOOL 

TVC_pAP/DHS Ac- 
tuator FDX IZR 

OM8JiCrUATOR_PDZ 

(OHS Acn>> 
ATos_ErnaiD] 

(El 

At4),l/SP 

Array of OHf actuator 
extension indicators 

none 

-l,0,l 

COHPOOL 

(»O_ACT0ATOR_ 

PDI 

0MB JiCTUATOR_PDI , 
OHS PDX Executive 

(OLDjOMS^ 

ACtT»TOR_ 

EXT0ID1 

'"ou,' 

A(4),1/SP, 

St 

Arrey of first-peee 
values of uns eetuetor 
extension indicetora 

RMte 


OHBJiCTUATOR^ 

PDX 

OMS_ACTUATOR_ 

PDI 

oeejicniAToii^rDi 

OHSJSEFVO^ 

AMP_ 


8c/SP«C 

0M5 servo eapli.'ier 
deedxone 

deg 

0.43 

OMS_ACrOATOR_ 

FDI 

onsjicroATOR_ 

PDI 

OMBJiCraATOIt_/DZ 

nrADBAMO 









(OWJkCTOATOS. 

PAILI 

. tpl 

A<4),B/ 

Array of c*' i actuator 
failure flags 

none 

O.I 

COHPOOL 

OMB_ACTOATOil_ 

PDZ 

OMS PDI Executive 

I 

I 

X/SP.A 

Xndex variable and 
counts': 

none 

1.2r3,4 

OMB_ACTUATOR_ 

FDI 

OM8_ACTUATOR_ 

FDI 

ONSJ^CTUATOR^PDI 

OHSA_rifJT_ 

FLAG 

OKSA__INXT_FLAC 

B/- 

Znitialiseti^ flag 

none 

0,1 

C0I9OOL 

OMS PDX Execu- 
tive 

OHBJICrUKrORPDl 

1ACT0AT0R_ 

PAIL^COWTEF 

[Cl 

A(4),x/sr 

Array of OHS actuator 
failure counters 

none 

0,1,2 

OMBJkCrUATOR_ 

FDI 

0HBJiCTUAT0R_ 

PDI 

OMSJkCTUATORJVZ 

OHSA_CALL_ 

COUMTEB 

OHSA_^CALL_ 

COWTER 

I/SP 

Procedure call counter 

none 

1,2,3, 4, 3,6, 
7,8,9 

COMPOOL 

OHS PDZ Execu- 
tive 

OMS JiCTUATDR^rOZ , 
OHS PDI Executive 

OHS_CIWAL_ 

XHCF_ 


Sc/SP,C 

OHS giodial deflection in- 
creOMnt threshold 

deg 

0.360 

0HS_ACTUAT0R__ 

FDI 

OMSJ»CTOATOR_ 

FDI 

OHSJkCTUAtOft^PDI 

TmSSHOLD 









|CN6_GIieAL_ 

STOFl 

‘W 

A(4),Sc/ 

SP,C 

Array of OKS gise»al stop 
values 

deg 

(6.98,6.98, 

5.96,6.98] 

0«B_ACTUATOR_ 

PDI 

OHSJiCrUAtOR_ 

PDI 

QMS_ACTUATOR_PDt 

■ [OMS_GIMBAL_ 
ERIOR] 

[5.J 

A(4),Sc/ 

SP 

Arrey of OMS ginbal de- 
flection errors 

deg 

-16.0WX06.0 

OHS_ACTUATOR_ 

FDI 

OM8_ACTOATOR_ 

POX 

OMS_ACTUATOR_FDI 















Table 3-3. Codes for type/attribute column. 


Key for Type 
A(i) - Array (i) 

V(i) - Vector (i) 
Sc - Scalar 
I - Integer 
B - Boolean 


K ey for Attribute 
SP - Single Precision 

A - Automatic 

C - Constant 

St - Static 


44 



APPENDIX A 


SUPPLEMENTARY MATERIAL TC OMS FAILURE DETECTION 
AND IDENTIFICATION ALGORITHM DESIGNS 


Thia appendix contains material supportive to the OMS Failure 
Detection and Identification Algorithm designs presented in Sections 1 
and 2. 


A. 1 Overview 

A. 2 Appendix to OMS FDl Executive 

A. 3 Appendix to OMS Engine FDI 

Failure Flag Summary Charts 

The three charts in Figures A-1 and A>2 illustrate the failure 
flag oi'tputs produced by OHS_ENGINE_FDI as a result of all possible 
combinations of procedure inputs (engine firing commands and roll dis- 
turbance acceleration estimate) and the actual engine firing conditions 
(two, one, or zero engines firing). Each chart corresponds to one of 
the engine firing conditions. 

The OMSl and OMS2 failure flag outputs are given in the row 
entitled "present failure flc values" for the columns headed by each 
possible combination of engine commands. The OMS_FAIL_DETECT flag 
output is listed in Figure A-2 for the case of one engine firing. For 
all of the charts, logic "0” is defined herein as a flag or command 
set to OFF, and logic "1" is a flag or command set to ON. Note that the 
logic symbols in each case are located in a box. Each box is divided 
by a diagonal where the upper-left value corresponds to OMS Engine 1, 
and the lower right value corresponds to OMS Engine 2. 

Included with the One-Engine-Firing chart on Figure A-2 is a 
diagram which defines the three regions A, B, and C of the roll distur- 
bance acceleration estimate which are used in that chart. The diagram 
also indicates that a positive roll disturbance acceleration estimate 
occurs when OMSl is OFF and OMS2 is ON, and a negative roll disturbance 
acceleration estimate occurs when OMSl is ON and OMS2 is OFF. This 
relationship between the sign of the roll disturbance acceleration 
estimate and the ON/OFF status of the OMS may be explained as follows. 


45 




Figure A-1. Failure flag summary charts; two engines firing 
and zero engines firing. 

In the OMS engine FDI procedure, the roll disturbance acceleration 
estimate is used to identify which engine has failed in the situations 
v^ere only one engine is firing and both engines are commanded ON or OFF. 
Under the assumption that in those situations the alignment of the 
engines is at or near crim,* then the yaw deflection of each engine 
would be such that neither engine could point behind the center of 
gravity in the yaw plane. Therefore the sign of the roll acceleration 
produced by each engine is the same for all possible pitch >'*ef lections: 
negative for OMSl and positive for 0MS2. 


* 

That is, near the vehicle XZ plane. 
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PRESENT 

ENGINE 

COMMANDS 


ROLL 

DISTURBANCE 

ACCELERATION 

ESTIMATE 


PREVIOUS 
failure flag 
VALUES 


PRESENT 

failure flag 
VAL liES 



OMS1 ON 
OMS2 OFF 


OM81 OFF 
OMS2 ON 














The roll disturbance acceleration estimate is essentially defined 
as 



(A-1) 


vdtere 

> measured roll acceleration 
» extrapolate ’''■•11 acceleration* 


Hence* if both engines are coaaaamied ON or OFF, the roll disturbeuice 
acceleration will be approximately equal to 

(1) The negative of the extrapolated roll acceleration of a 
failed-off en'^ine.** 


or 


(2) The measured roll acceleration of a failed-on engine. 

Combining these two definitions with the fact that OMSl produces nega- 
tive roll acceleration and 0NS2 positive roll acceleration yields the 
relationship between the sign of the roll disturbanca acceleration 
estimate and the ON/OIT status of the engines as 

OMSl commcutded OFF 
0HS2 conmanded OFF 
OMSl fails ON 

OMSl commeuided OFF 
0NS2 jixnmanded OFF 
0MS2 fails ON 

OMSl commanded ON 
0MS2 commanded ON 
OMSl fails OFF 


* 

An extrapolated quantity is defined as the extrapolation of the 
quantity's previous estimate* and it may be thought of as a predic- 
tion of the quantity. 

* 

Here it is assumed that the measured and extrapolated roll accelera- 
tion of an unfailed engine are nearly equal. 
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OMSl cooraanded ON 
OMS2 coaimanded ON 
OMS2 fails OFT 



To illustrate the way the charts may be used and to verify the 
correctness of the outputs, consider two cases for which the 0MS1_FA1L 
flag should be set to ON: 

(1) ONSl fails (KT when botii engines are commanded ON. 

(2) ONSl fails ON when both engines are commanded OFF. 

In both cases, since one engine is firing, the chart in Figure A-2 is 
applic 2 d>le. Also, it is assumed that is outride the dsadzone. 

Case 1 ; 

OMSljCMD = 1 

0MS2CMD ° 1 

ONSl is OFF 1 

} “d ^ ^ 

0MS2 is CMJ J “r 

Previous 0MS1_FAIL - 0 (assumed) 

Previous 0MS2_FA1L = 0 (assumed) 

Present OMSI FAIL = 1 

Present 0MS2 FAIL = 0 


Case 2 t 

(MlSljCMD = 0 

0MS2_CMD = C 

OMSl is ON ) ^ 

> ^ 

0MS2 is OFF ) r 

Previous 0MS1_FAIL = 0 (assumed) 

Previous 0MS2_FAIL = 0 (assumed) 

.'. Present OMSI FAIL = 1 

Present 0MS2 FAIL > 0 


A 


In botl*. cases, when OMSl failed (assuming both OMSl and 0MS2 had not 
faile ( in the past), 0MS1_FAIL was set to ON and 0MS2_FAIL was left OFF. 
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A. 4 ^pe n dix to QMS Actuator FDI 

The OMS actuator FOI procedure compares the increment in the meas- 
ured cimbal deflection over six minor cycles (240 ms) to a threshold 
value to determine if an actuator has failed. Two successive failed 
threshold tests result in activation of a failure flag. The threshold 
value is set such that the measured gimbal deflection of an actuator 
which has experienced a full-off failure is less than the threshold, 
and the measured gimbal deflection of an actuator which is performing 
nominally is greater than the threshold. The desired result of no 
full-off miralarms or full-on false alarms is thus achieved. The 
accuracy of the OMS actuator output extension position transducer* 
directly affects not only the number of minor cycles over which the 
deflection increment is computed, but also the value at which the 
threshold is set. 

The measured increment in the OMS gimbal deflection is given by 


+ n AT) - 6 It) 
mm m 


(A-2) 


where AT is the minor cycle time (40 ms) , and n is the number of minor 
cycles over which the increment is computed. The error in the deflec- 
tion increment is therefore 


~ £g(t + n AT) - Cg(t) (A-3) 

where ^^(t) is the error in the ..leasured gimbal deflection at time t 
introduced by the OMS LVDT position transducer. (The additional error 
introduced by ’ he A/D conversion of the position transducer output 
signal is an order of magnitude lesi. and is neglected) . 


A pessimistic upper bound on the error in the deflection incre- 
ment is found by assuming that the errors in the gimbil deflection 
measurements at the two times are negatively correlated and of maximum 
magnitude 


^A6 *itiax ~ ^ ^ 


'6 'max 


(A-4) 


The measured gimbal deflection is equal to the measured actuator 
output position scaled to angular measure. 
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In reality, if the actual position transducer output is a sufficiently 
"smooth" function of the actuator extension, then the error in the glmbal 
deflection measurement at time t ■(- nAT would be positively correlated 
with the error at time t, provided that n were not too large. However, 
in the 2 d>sence of a realistic model of the position transducer error 
sources, the more conservative approach of assuming negative correla- 
tion is taken. 

The OHS a-^tuator position transducer accuracy specification in 
Reference 7 lists the accuracy of the LVDT as ±0.1 volt.* The scale factor 
of the LVDT is 2.0 volt per inch, an', there are 3.14 degrees of gimbal 
deflection per inch of actuator extension. Combining this data 
and referrii.g to Eq. (A-4), one obtains 


-r 


'A6 'max 


= 0.314‘ 


(A-5) 


The lower limit of acceptedile performance in the OHS actuator procure- 
ment specification^^^ is 3.0"/s. In order that there be no misalarms 
in the case of a full-off failure and no false alarms in the case of 
lower-limit nominal performance, the error in the deflection incre- 
ment must be less than one half the increment itself. Otherwise, a 
deflection rate of 0.0"/s could not be distinguished from 3.0"/s by 
means of a measured gimbal deflection increment. 

For a constant deflection rate of 3.0"/s, the actual gimbal 
deflection (in degrees) is 

A6 = 3 n AT = 0.12 n (A-6) 

In order that I ’ess than 0.5A5, n must be at least 6. 

Thus, the accuracy of the OMS ac'-uator position transducei is such that 
it requires wait'ng six minor cycles (240 ms) to compute a gimbal 


* 

After the algorithm designs presented in this report were completed, 
but before publication, a new OMS actuator math model, a new OMS 
position transducer accuracy specification, and new OMS actuator per- 
formance requirements were received. The analysis of this section 
and the design of the OMS actuator FDI procedure will be reworked 
in light of the new data. However, only minor changes of parameter 
values are anticipated. The basic algorithm structure will be 
unchanged . 


Superscript numerals refer to similarly numbered references in the 
List of References. 
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deflection increment which can only distinguish between a £ull-o££ 
failure (0.0**/s) and a lower-limit nominal performance (3.0**/s). 

Ideally, one would want to wait only one minor cycle between the 
two samples of the measured gimbal deflection fox ..he increment confu- 
tation. The reason is that the CPU time consiuned by the (UlS actuator 
FDI procedure in any 1-second interval is directly proportional to the 
number of minor cycles between the two samples, because at each of 
those minor cycles the procedure must be called to check the gimbal 
deflection error to determine if the actuator input voltage is being 
continuously applied over the interval. Otherwise the actuator is not 
extending continue isly, and the threshold test should not be performed. 

To wait only one c\cie (n = 1) , the accuracy of the measured gimbal 
deflection would hev^ to be ±0.03**, implying an OMS position transducer 
accuracy of ±0.019 volt for the same scale factor. This represents an 
increase in accuracy of about a factor of 5. The CPU time savings which 
can be obtained by this increased position transducer accuracy are 
described in Section 2.4.2. 

Returning to the situation based on the accuracy specifications of 
Reference 7 for which n = 6, the actual gimbal deflection increment over 
six minor cycles for a constant rate of 3.0*/s is 0.72® (see Eq. (A-6)). 
Given that the error in the deflection increment can be as large as 0.314“ 
(see Eq. (A-5)), the permissible range for the threshold is 

0.314“ < < 0.406“ (A-7) 

That is, if were less thfui 0.314“, a full-off failure might pass 
the test, and if were greater them 0.406“, an actuator performing 
nominally at 3.0“/s might fail the test. The threshold is arbitrarily 
set at the midpoint of the permissible range 

A6^ = 0.360“ (A-8) 

To f mmarize the possibilities: 

(1) An OMS actuator performing below 0.192“/s will always 
cause a failure indication. 

(2) There will never be a false alarm for an OMS actuator 
which is performing above 2.808“/s. 

(3) OMS actuators performing between 0.192“/s and 2.808“/s may 
or may not cause failure indications. 
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0£ course, if either the accuracy of the OHS position transducer is 
upgraded or more than six minor cycles are used for the gimbal deflec- 
tion increment congmtation, the area of uncertainty will shrink eund 
more specific information about actuator performance can be deduced 
from the threshold test. 
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LIST OF ABBREVIATIONS 


Symbol 

Description 

eg 

center of gravity 

CO 

checkout 

CPU 

centra' processing unit 

CRT 

cathode ray tube 

•JAP 

digital autopilot 

D&C 

displays & controls 

PC 

flight control 

FCS 

flight control sysizem 

FCOS 

flight computer operating system 

FOl 

failure dct'^ction cuid identification 

GN&C 

guidance, navigation, & control 

GPC 

general-purpose computer 

QUID 

guidance 

HC 

hand controller 

HR 

input interface routine 

IHU 

inertial measuring unit 

LVDT 

linear voltage differential transfojnner 

MSC 

moding, sequencing, & control 

MTU 

master timing unit 

NAV 

navigation 

OFC 

on-orbit flight control 

OMS 

orbital maneuvering system 
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LIST OF ABBREVIATIONS (Cont.) 

Symbol 
PH 
RCS 
RHC 
RH 
SH 
SOP 
TBD 
THC 
TVC 


NOTATION CONVENTIONS 

estimated quantity 
extrapolated quantity 
vector 

measured quantity 
matrix 
array 
Boolean 



Description 
performance nmnitoring 
reaction control system 
rotational hand controller 
redundancy management 
system management 
subsystem operating programs 
to be determined 
translational hand controller 
thrust vector control 
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